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Process behaviour is often defined either in terms of the tests they satisfy, or in terms of the logical 
properties they enjoy. Here we compare these two approaches, using extensional testing in the style 
of DeNicola, Hennessy, and a recursive version of the property logic HML. 

We first characterise subsets of this property logic which can be captured by tests. Then we show 
that those subsets of the property logic capture precisely the power of tests. 

1 Introduction 

One central concern of concurrency theory is to determine whether two processes exhibit the same be- 
haviour; to this end, many notions of behavioural equivalence have been investigated HGla93j One ap- 
proach, proposed in MDH84I1 , is based on tests. Intuitively two processes are testing equivalent, p « test q, 
relative to a set of tests T if p and q pass exactly the same set of tests from T. Much here depends of 
course on details, such as the nature of tests, how they are applied and how they succeed. 

In the framework set up in MDH84II observers have very limited ability to manipulate the processes 
under test; informally processes are conceived as completely independent entities who may or may not 
react to testing requests; more importantly the application of a test to a process simply consists of a run to 
completion of the process in a test harness. Because processes are in general nondeterministic, formally 
this leads to two testing based equivalences, p « may q and p « m ust q; the latter is determined by the set 
of tests a process guarantees to pass, written p must satisfy t, while the former by those it is possible to 
pass, p may satisfy t. The may equivalence provides a basis for the so-called trace theory of processes 
HHoa851 , while the must equivalence can be used to justify the various denotational models based on 
Failures used in the theory of CSP, HHoa85llOld87llDN83L 

Another approach to behavioural equivalence is to say that two processes are equivalent unless there 
is a property which one enjoys and the other does not. Here again much depends on the chosen set of 
properties, and what it means for a process to enjoy a property. Hennessy Milner Logic IHM851 is a 
modal logic often used for expressing process properties in term of the actions they are able to perform. 
It is well-known that it can be used, via differing interpretations, to determine numerous variations on 
bisimulation equivalence, BMil89l IAILS07L What has received very little attention in the literature 
however is the relationship between these properties and tests. This is the subject of the current paper. 

More specifically, we address the question of determining which formulae of a recursive version 
of the Hennessy Milner Logic, which we will refer to as recHML, can be used to characterise tests. 
This problem has already been solved in MAI991 for a non-standard notion of testing; this is discussed 
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more fully later in the paper. But we will focus on the more standard notions of may and must testing 
mentioned above. 

To explain our results, at least intuitively, let us introduce some informal notation; formal definitions 
will be given later in the paper. Suppose we have a property <p and a test t such that: 

for every process p, p satisfies <p if and only if p may satisfy the test t. 

Then we say the formula <p mary-represents the test t. We use similar notation with respect to must testing. 
Our first result shows that the power of tests can be captured by properties; for every test t 

(i) There is a formula may (O which may-represents t; see Theorem l5.2l 

(ii) There is a formula mus t(O which mw5t-represents t; see Theorem 14. 181 

Properties, or at least those expressed in recHML, are more discriminating than tests, and so one 
would not expect the converse to hold. But we can give simple descriptions of subsets of recHML, called 
mayHML and mustHML respectively, with the following properties: 

(a) Every <p € mayHML m<ry-represents some test t may (<p); see Theorem l5.il 

(b) Every <p € mustHML must-represents some test t must ((f)); see Theorem l4.14l 

Moreover because the formulae (p may (t), (p mus t(t) given in (i), (ii) above are in mayHML, mustHML re- 
spectively, these sub-languages of recHML have a pleasing completeness property. For example let <p be 
any formula from recHML which can be represented by some test t with respect to must testing; that is 
p satisfies <p if and only if p must satisfy t. Then, up to logical equivalence, the formula <p is guaranteed 
to be already in the sub-language mustHML; that is, there is a formula if/ e mustHML which is logically 
equivalent to (p. The language mayHML has a similar completeness property for may testing. 

We now give a brief overview of the remainder of the paper. In the next section we recall the formal 
definitions required to state our results precisely. Our results in the may case will only hold when the set 
of tests we consider come from a finite state finite branching LTS. Further, we also require for the LTS 
of processes to be finite branching when dealing with the must testing relation. The reader should also 
be warned that we use a slightly non-standard interpretation of recHML. 

We then explain both may and must testing, where we take as processes the set of states from an 
arbitrary LTS, and give an explicit syntax for tests. In Section[3]we give a precise statement of our results, 
including definitions of the sub-languages mayHML and mustHML, together with some illuminating 
examples. The proofs of these results for the must case are given in Section |4j while those for the may 
case are outlined in Section [5] We end with a brief comparison with related work. 

2 Background 

One formal model for describing the behaviour of a concurrent system is given by Labelled Transition 
Systems (LTSs): 

Definition 2.1. A LTS over a set of actions Act is a triple £ = (S, Act T , — >> where: 

• S is a countable set of states 

• Act T = Act U {t} is a countable set of actions, where t does not occur in Act 

• — >c S xAct T xS is a transition relation. 

We use a,b,--- to range over the set of external actions Act, and a,fi, ■•■to range over Act T . The standard 
notation s — > s' will be used in lieu of(s, a, s') e — >. States of a LTS £. will also be referred to as ( term) 
processes and ranged over by s, s' ,p, q □. 
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Let us recall some standard notation associated with LTSs. We write s — > if there exists some s' such 

ct ct ct 

that s — > s', s — > if there exists a e Act T such that s — >, and s — f> , 5 — f> for their respective negations. 
We use Succ(a, s) to denote the set {s'\s — > s'}, and Succ(5') for U<*eA<* T Succ(a, s). If Succ(s) is finite for 
every state s e 5 the LTS is said to be finite branching. Finally, a state s diverges, denoted s ft, if there is 
an infinite path of internal moves s — > s' — > ■ • • , while it converges, s JJ,, otherwise. 

For a given LTS, each action of the form —> can be interpreted as an observable activity; informally 
speaking, this means that each component which is external to the modeled system can detect that such an 
action has been performed. On the other hand, the action t is meant to represent internal unobservable 

r 

activity; this gives rise to the standard notation for weak actions. s=> s' Is used to denote reflexive 
transitive closure of — >, while s ==> s' denotes s ==> s" — > s'" => s' . When s ==> s' we say that s' is an 

a a 

^-derivative of s. The associated notation s=>, s =>, s =fc and s =£> have the obvious definitions. 

It is common to define many operators on LTSs for interpreting process algebras. In this paper we 
will use only one, a parallel operator designed with testing in mind. 

Definition 2.2 (Parallel composition). 

Let Xi = (S 1, Act\, — >), £2 - (S2, Aci^, — >) be LTSs. The parallel composition of H\ and X2 is a LTS 
-Ci I-C2 - (S 1 X S 2, M, — >>, where — > is defined by the following SOS rules: 




s\t — >s'\t s\t — > s\t' s\t — > s'\t' 



s 1 1 is used as a conventional notation for (s, t). □ 

The first two rules express the possibility for each component of a LTS to perform independently an 
internal activity, which cannot be detected by the other component. The last rule models the synchro- 
nization of two processes executing the same action; this will result in unobservable activity. 

2.1 Recursive HML 

Hennessy Milner Logic (HML), [HM85 ] has proven to be a very expressive property language for states 
in an LTS. It is based on a minimal set of modalities to capture the actions a process can perform, and 
what the effects of performing such actions are. Here we use a variant in which the interpretation depends 
on the weak actions of an LTS. 

Definition 2.3 (Syntax of recHML). Let Var be a countable set of variables. The language recHML is 
defined as the set of closed formulae generated by the following grammar: 

<p ::- tt I ff I X I Acc(A) | <p\\l $2 I <P\^<Pi I (a)<P I [a]<f> I min{X,(f>) \ max(X,(p) 

Here X is chosen from the countable set of variables Var. The operators min(X,(p), 

max(X, (f>) act as binders for variables and we have the standard notions of free and bound variables, and 

associated binding sensitive substitution of formulae for variables. □ 

Let us recall the informal meaning of recHML operators. A formula of the form (a)<p expresses the 
need for a process to have an a-derivative which satisfies formula (p, while formula [a](p expresses the 
need for all a-derivatives (if any) of a converging process to satisfy formula (p. 

Formula Acc{A) is defined when A is a finite subset of Act, and is satisfied exactly by those converging 
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[tt]p ± S 

IX Jp = p(X) 

I0i v 4>2 1p = WilpvWilp 



ISJp = 

lAcc{A)Jp = {s\s\i, if s^>s' then 3a €A.s'^>) 

l[a]</>]p ± MiUJp) 

[0iA0 2 ]p A [0i]]pnl0 2 ]lp 

[ma*(X,0)]]p - U{P\PQUMX^P]} 



Table 1 : Interpretation of recHML 



processes for which each r-derivative has at least an a-derivative for a € Act. min(X, cf>) and max(X, <p) 
allow the description of recursive properties, respectively being the least and largest solution of the 
equation X = <p over the powerset domain of the state space. 

Formally, given a LTS (S,Act T , — >), we interpret each (closed) formula as a subset of 2 s . The set 2 s 
is a complete lattice and the semantics is determined by interpreting each operator in the language as a 
monotonic operator over this complete lattice. The binary operators V, A are interpreted as set theoretic 
union and intersection respectively while the unary operators are interpreted as follows: 



where P ranges over subsets of 2 s . 

Open formulae in recHML can be interpreted by specifying, for each variable X, the set of states for 
which the atomic formula X is satisfied. Such a mapping p : War — > 2 s is called environment. Let Env 
be the set of environments. A formula (p of recHML will be interpreted as a function : Env — > 2 s . 
We will use the standard notation p[X i-» P] to refer to the environment p' such that p'(X) = P and 
p'(Y) = p(Y) for all variables Y such that X + Y. 

The definition of the interpretation |[ • 1 is given in Table 12.11 When referring to the interpretation of a 
closed formula (p £ recHML, we will omit the environment application, and sometimes use the standard 
notation p \= <p for p e |[0]]. 

Our version of HML is non-standard, as we have added a convergence requirement for the inter- 
pretation of the box operator [or]. The intuition here is that, as in the failures model of CSP HHoa85ll . 
divergence represents underdefinedness. So if a process does not converge all of its capabilities have not 
yet been determined; therefore one can not quantify over all of its a derivatives, as the totality of this set 
has not yet been determined. Further, the operator Acc(A) is also non-standard. It has been introduced 
for the sake of simplicity, as it will be useful later; in fact it does not add any expressive power to the 
logic, since for each finite set A c Act the formula Acc{A) is logically equivalent to [t](\/ aeA (a)tt). 

As usual, we will write <p{\plX} to denote the formula <p where all the free occurrences of the variable 
X are replaced with ip. We will use the congruence symbol = for syntactic equivalence. 

The language recHML can be extended conservatively by adding simultaneous fixpoints, leading to 
the language recHML + . Given a sequence of variables (X) of length n > 0, and a sequence of formulae <p 
of the same length, we allow the formula minj(X,(f)) for 1 < i < n. This formula will be interpreted as the 
i-th projection of the simultaneous fixpoint formula. 

Definition 2.4 (Interpretation of simultaneous fixpoints). Let X and <p respectively be sequences ofvari- 



(■a-)P 



[■a-]P 



{ s\ s => s' for some s' e P } 

a 

{ s | s jj., and s s implies s € P} 
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ables and formulae of length n. 

I min(X, Jp = f]{P\l ^ Ip[X i-» P] c P t V 1 < i < n] 
lmini(X,mp = 7ri(lmm(X,0)lp) 

where 7Tj is i-th projection operator, and intersection over vectors of sets is defined pointwise. □ 

Again we will omit the environment application if a formula of the form ra/n,(X, <p) is closed, that 
is the only variables that occur in <p are those in X. Intuitively, an interpretation [[mm(X,0)]|, where 
X = (Xi, ■ • ■ ,X n ) and (f> - {<j>\,- •• ,(p n ), is the least solution (over the set of vectors of length n over 2 s ) of 
the equation system given by X,- - (f>,- for alii = I,-- - ,n, while |[ra/7i;(X,0)] is the i-th projection of such 
a vector. Simultaneous fixpoints do not add any expressivity to recHML, as shown below: 

Theorem 2.5 (Bekfc, HWin93P . 

For each formula <p € recHML + there is a formula if/ 6 recHML such that [[0J = IftA]. □ 

Later we will need the following properties of simultaneous fixpoints: 
Theorem 2.6 (Fixpoint properties). 

(i) Let (P) be a vector of sets from 2 s satisfying |[0, ]|p[X i-> P] c P t for every 1 < i < n. Then 
lmmi(X,$)lpQPi 

(ii) Let p m i n be an environments such that p,„i n (Xi) = |[mz'n;(X,0)]]. Then [[m/«,(X,0)]l - ^(piJp m i„. □ 
2.2 Tests 

Another way to analyse the behaviour of a process is given by testing. Testing a process can be thought 
of as an experiment in which another process, called test, detects the actions performed by the tested 
process, reacting to it by allowing or forbidding the execution of a subset of observables. After observing 
the behaviour of the process, the test could decree that it satisfies some property for which the test was 
designed for by reporting the success of the experiment, through the execution of a special action co. 

Formally speaking, a test is a state from a LTS T = (T,Actf, — >), where Actf = Act T U {oj\ and a> is 
an action not contained in Act T . 

Given a LTS of processes X = (S,Act T , — >), an experiment consists of a pair p \ t from the product 

LTS (X I T). We refer to a maximal path p \ t — > Pi\t[ — > — > pk \ h — > ... as a computation of p \ t. 

It may be finite or infinite; it is successful if there exists some n > such that t n — >. As only r-actions can 
be performed in an experiment, we will omit the symbol t in computations and in computation prefixes. 
Successful computations lead to the definition of two well known testing relations, BDH84H : 

Definition 2.7 (May Satisfy, Must Satisfy). Assuming a LTS of processes and a LTS of tests, let s and t 
be a state and a test from such LTSs, respectively. We say 

(a) s may satisfy t if there exists a successful computation for the experiment s \ t. 

(b) s must satisfy t if each computation of the experiment s\t is success fd. 

Later in the paper we will use a specific LTS of tests, whose states are all the closed terms generated 
by the grammar 

t ::= | a.t \ co.O | X | h +t 2 I yiX.t . (1) 
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Again in this language X is bound in pX.t, and the test t{t' /X} denotes the test t in which each free 
occurrence of X is replaced by t' . The transition relation is defined by the following rules Q 

t " > t' t a > t' 

The last rule states that a test of the form fiX.t can always perform a r-action before evolving in the 
test t{pX.t/X). This treatment of recursive processes will allow us to prove properties of paths of recursive 
tests and experiments by performing an induction on their length. Further, the following properties hold 
for a test t in grammar £T|): 

Proposition 2.8. Let T = (T,Act T , — >) be the LTS generated by a state t in grammar dTJ: then T is both 
branching finite and finite state. □ 



3 Testing formulae 

Relative to a process LTS (S,Act T , — >) and a test LTS (T,Actf, — >), we now explore the relationship 
between tests from our default LTS of tests and formulae of recHML. Given a test t, our goal is to 
find a formula <j> such that the set of processes which may satisfy /must satisfy such a test is completely 
characterised by the interpretation Moreover, we aim to establish exactly the subsets of recHML 
for which each formula can be checked by some test, both in the may and must case. 
For this purpose some definitions are necessary: 

Definition 3.1. Let <pbe a recHML formula and t a test. We say that: 

• (f> must-represents the test t, if for all p e S, p must satisfy t if and only ifp\=(f>. 

• (f> is must-testable whenever there exists a test which cp must-represents. 

• t is must-representable, if there exists some (f> £ recHML which must-represents it respectively. 
Similar definitions are given for may testing. □ 

First some examples. 
Example 3.2 (Negative results). 

(a) (/>= [a]Jf is not may -testable. 

t a 

Let s e §_[a]jf^; a new process p can be built starting from s by letting p — > p, whenever s — > s' 
then p — > s'. 

Processes p and s may satisfy the same set of tests. However, p g ^[a]ffj, as p ff. Therefore 
no test may -represents [a]jf. 

(b) cp = (a)tt is not must-testable. 

We show by contradiction that there exists no test t that must-represents (p. To this end, we perform 
a case analysis on the structure oft. 

• t — >: Consider the process with no transitions. Then must satisfy t, whereas £ E </>]]. 

• t —f> : Let s € [[</>J and consider the process p built up from s according to the rules of the 
example above; we have p e [[</>]]. On the other hand, p must satisfy t is not true; indeed the 
experiment p \ t leads to the unsuccessful computation p\t -> p\t -> ■•• . 

'For the sake of clarity, the rules use an abuse of notation, by considering a as an action from Act T U oj rather than from 
Act T . 
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Therefore there is no test t which must-represents <p. 

(c) <f> = (a)tt A (b)tt is not may -testable. 

Let s be the process whose only transitions are s — >0, s — >0. Let also p,p' be the processes whose 

only transitions are p — > 0, p' — > 0. We have s e [[01, whereas p,p' |[0J. We show that whenever 
s may satisfy a test t, then either p may satisfy t or p' may satisfy t. Thus there exists no test which 
is may-satisfied by exactly those processes in and therefore (p is not may -representable. First, 
notice that if s may satisfy t, then at least one of the following holds: 

at 

(i) t=>, 

a . at 

(U) f 

b at 

(Hi) t=>t'=>. 

at , a co 

Ift==>, then trivially both p and p may satisfy t. On the other hand, ift=$ f =>, then there exist 
t", tco such that t ==> t" — > t' ==> t^ — >. We can build the computation fragment for p | t such that 

p | t^ — ^p | t"^0 | * / ->-->0 | t u 

b oj 

which is successfid. Hence p may satisfy t. Finally, The case t => t => is similar. 

( d) In an analogous way to (|c]) it can be shown that [a]jf V [b]ff is not must-testable. □ 

We now investigate precisely which formulae in recHML can be represented by tests. To this end, 
we define two sub-languages, namely mayHML and mustHML. 

Definition 3.3. (Representable formulae) 

• The language mayHML is defined to be the set of closed formulae generated by the following 
recHML grammar fragment: 

cp ::= tt | ff | X | (a)<f> \ fa V0 2 | min(X,<f>) (2) 

• The language mustHML is defined to be the set of closed formulae generated by the following 
recHML grammar fragment: 

<f> ::= tt | ff | Acc(A) \ X \ [a]<f> I 0i A0 2 I min(X,<P) (3) 

Note that both sub-languages use the minimal fixpoint operator only; this is not surprising, as informally 
at least testing is an inductive rather than a coinductive property. Since there exist formulae of the form 
[a](p, cp\ A cp2 which are not mav-representable, the [•] modality and the conjunction operator, have not 
been included in mayHML The same argument applies to the modality <•) and the disjunction operator V 
in the must case, which are therefore not included in mustHML. 

Note also that the modality [•] is only used in mustHML, which will be compared with must-testing. 
No diverging process must satisfy a non-trivial test t, i.e. such that t — /-» . Hence, in this setting, the 
convergence restriction on this modality is natural. 

We have now completed the set of definitions setting up our framework of properties and tests. In 
the remainder of the paper we prove the results announced, informally, in the Introduction. 
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4 The must case 

We will now develop the mathematical basis needed to relate mustHML formulae and the must testing 
relation; in this section we will assume that the LTS of processes is branching finite. 

Lemma 4.1. Let (p e mustHML, and let p e where p ft: then is the entire process space, i.e. 
U1=S. □ 

This lemma has important consequences; it means formulae in mustHML either have the trivial interpre- 
tation as the full set of states S , or they are only satisfied by convergent states. 

Definition 4.2. Let C be the set of subsets of S determined by: 

• S eC, 

• X € C, s e X implies s JL □ 
Proposition 4.3. C ordered by set inclusion is a continuous partial order, cpo. 

Proof. The empty set is obviously the least element in C. So it is sufficient to show that if Xo c Xi C • • • 
is a chain of elements in C then [j n X n is also in C. □ 

We can now take advantage of the fact that mustHML actually has a continuous interpretation in 
(C, Q. The only non trivial case here is the continuity of the operator [-a-]: 

Proposition 4.4. Suppose the LTS of processes is finite-branching: IfXo c Xi c • • • is a chain of elements 
in C then 

\J[-a-]X n = [-a-]\Jx n . 

n n 

□ 

This continuous interpretation of mustHML allows us to use chains of finite approximations for these 
formulae of mustHML. That is given <p e mustHML and k > 0, recursion free formulae <p will be defined 
such that l<fij c l^ k+l) J and [Jfeo = IH- We can therefore reason inductively on approximations in 
order to prove properties of recursive formulae. 

Definition 4.5 (Formulae approximations). For each formula <p in mustHML define 

<0° = ff 

<p (k+l) = <p if(p=tt,fforAcc(A) 
([a]cf>f^ = [a](# +1 > 
(0lA0 2 f +1 > - 0f +1 >A^ +1) 
(min(X,(f>)) (k+l) - (<f>{min(X,<f>)/X}) k 

□ 

It is obvious that for every <p e mustHML, \<p k ]| c J for every k > 0; The fact that the union of 

the approximations of <p converges to <p itself depends on the continuity of the interpretation: 

Proposition 4.6. 

\Ju k i = m 

k>0 
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Proof. This is true in the initial continuous interpretation of the language, and therefore also in our 

interpretation. For details see BCN781 . □ 

Having established these properties of the interpretation of formulae in mustHML, we now show that 
they are all mwit-testable. The required tests are defined by induction on the structure of the formulae. 

Definition 4.7. For each (f> in mustHML define t must {<p) as follows: 

tmust(tt) = CO.O (4) 

tmustUf) = (5) 

(Acc(A)) = Yj aM -° ( 6 ) 

aeA 

tmustQO = X (7) 

tmust(lT]4>) = T-t,nust(<P) (8) 

tmust([a]<P) = a.t mmt {<p)+T.u).0 (9) 
oj.O if(j>\ A (p2 is closed and 

logically equivalent to tt 



t, 



must 



Wvf(0lA0 2 ) - 



(10) 



T.Tmust(pi +T.t must {tp2) otherwise 



, . /v Umustif) if qb is closed 

■t(min(X,<p)) - < (11) 
jxX. t must ((p) otherwise 



For each formula <p in mustHML, the test t mU st(4>) i s defined in a way such that the set of processes 
which must satisfy t must (<p) is exactly |[0J. Before supplying the details of a formal proof of this state- 
ment, let us comment on the definition of t must (<p). 

Cases (01), (O and Q are straightforward. In the case of Acc{A), the test allows only those action which 
are in A to be performed by a process, after which it reports success. 

For the box operator, a distinction has to be made between \a\<p and [t]0. In the former we have to take 
into account that a converging process which cannot perform a weak a-action satisfies such a property; 
thus, synchronisation through the execution of a a-action is allowed, but a possibility for the test to re- 
port success after the execution of an internal action is given. In the case of [r](p no synchronization 
with any action is required; however, since we are adding a convergence requirement to formula cp, we 
have to avoid the possibility that the test ? mus t(W0) can immediately perform a a> action. This is done by 
requiring the test t must ([r](f>) to perform only an internal action. 

Finally, (fTOl) and (fTT|) are defined by distinguishing between two cases; this is because a formula of the 
form <p\ A <p2 or min(X,qS) can be logically equivalent to tt, whose interpretation is the entire state space. 
However, the second clause in the definition of f mU st(0) f° r sucn formulae require the test to perform a r 
action before performing any other activity, thus at most converging processes must satisfy such a test. 

In order to give a formal proof that t must ((p) does indeed capture the formula <p we need to establish 
some preliminary properties. The first essentially says that no formula of the form min{X,(p), with <p not 
closed, will be interpreted in the whole state space. 

Lemma 4.8. Let <p = min{X,\Jj), with if/ not closed. Then |[0]| + S. □ 
Then we state some simple properties about recursive tests. 
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Lemma 4.9. 

• p must satisfy pX.t implies p must satisfy t{pX.t/X}. 

• p \\,,p must satisfy t{pX.t/X) implies p must satisfy pX.t. □ 

Note that the premise p JJ. is essential in the second part of this lemma, as pX.t cannot perform a o> 
action; therefore it can be mwrf-satisfied only by processes which converge. 

Proposition 4.10. Suppose the LTS of processes is finitely branching. If p must satisfy t must (cf>) then 

Proof. Suppose p must satisfy t must (<p); As both the LTS of processes (by assumption) and the LTS 
of tests (Proposition 12.81 ) are finite branching, the maximal length of a successful computation \p,t\ is 
defined and finite. This is a direct consequence of Konig's Lemma [BJ89 j. Thus it is possible to perform 
an induction over \p,t mU st(4>) I to prove that p 6 ^(/rj. The result will then follow from Proposition 14.61 

• If \p,t mU st(<P) I = then ? mus t(0) — >, and hence for each p € S p must satisfy t must ((p). Further it is 
not difficult to show that <p is logically equivalent to tt, hence p e 

• If \p,t m ust(<f>) \ - n + 1 then the validity of the Theorem follows from an application of an inner 
induction on (p. We show only the most interesting case, which is (p = min(X,ip). There are two 
possible cases. 

(a) If X is not free in ip then the result follows by the inner induction, as min(X, tp) is logically 
equivalent to ip, and t must (min(X, ip)) = t must (ip) by definition. 

(b) If X is free in ip then, by Lemma l4~9l p must satisfy t must (ip){pX. t must (ip) jX\, which is syntac- 
tically equal to t must (ip{min(X,ip)/X}). 

Since \p,t mu;it (ip{min(X,iJ/)/X}) \ < \p, f mus t(0)l> by inductive hypothesis we have 
p€li//{min(X,ip)/X} k J for some k, hence p € J. □ 

To prove the converse of Proposition 14. 101 we use the following concept: 

Definition 4.11 (Satisfaction Relation). Let RQS x mustHML and for any <p let (R (p) = {s \ s R (p\. 
Then R is a satisfaction relation if it satisfies 

(R tt) = S 
(Rff) = 



T 



{R Acc(A)) = { s | s JJ., s=> s' implies S (s) nA + } 
(R[a]<p) c [•£*•](/? <p) 

(R<piA<p2) £ (R<pi)n(R(p 2 ) 
(R (p{min{X, <p)/X}) C (R min(X, <p)) 

□ 

Satisfaction relations are defined to agree with the interpretation [[•]]. Indeed, all implications re- 
quired for satisfaction relations are satisfied by |=. Further, as |[mm(X,^)] is defined to be the least 
solution to the recursive equation X = <p, we expect it to be the smallest satisfaction relation. 

Proposition 4.12. The relation \= is a satisfaction relation. Further, it is the smallest satisfaction relation. 

□ 

Proposition 14. 121 ensures that, for any satisfaction relation R, \= is included in R; in other words, if 
p\=(p then pRcp. Next we consider the relation R must such that p R must <P whenever p must satisfy t must ((p), 
and show that it is a satisfaction relation. 
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Proposition 4.13. The relation R must is a satisfaction relation. 

Proof. We proceed by induction on formula <p. Again, we only check the most interesting case. 
Suppose (p - min{X,\p). We have to show p must satisfy t mU st(<p{<P/X}) implies p must satisfy t must (<f>). 
We distinguish two cases: 

(a) X does not appear free in \p. then t must ((p) = f mus tOA), and ip{<plX) = ip. This case is trivial. 

(b) X does appear free in (p: in this case f m ust(0) = ltX.t must (tp), and t must (ip{(p/X}) has the form 
tmust(>P){p-X.t must (ip) /X}. By Lemma l4~8l IT 6 T + S\ therefore Lemma |4~T1 ensures that p JJ., and hence 
by Lemma |4~9l it follows p must satisfy ? must (0). □ 

Combining all these results we now obtain our result on the testability of mustHML. 

Theorem 4.14. Suppose the LTS of processes is finite-branching. Then for every <p e mustHML, there 
exists a test t must ((p) such that <p must-represents the test t must ((p). 

Proof. We have to show that for any process p, p must satisfy t must (<p) if and only if p e One 
direction follows from Proposition 14. 101 Conversely suppose p e J[(f>J. By Proposition 14. 121 it follows 
that for all satisfaction relations R it holds p R <p\ hence, by Proposition 14.131 p R mm t <P, or equivalently 

p must satisfy t must ((p). □ 

We now turn our attention to the second result, namely that every test t is wiMst-representable by some 
formula in mustHML. Let us for the moment assume a branching finite LTS of tests in which the state 
space T is finite. 

Definition 4.15. Assume we have a test-indexed set of variables {X t }. For each test t eT define <p t as 
below: 

(ft = tt ift^U (12) 

<Pt = ff ift-h (13) 

(p t ± ( /\ [a]Xf) A Acc({a\t—>}) if t ^,t^,t^ (14) 



ft 



(/\[T]X f )A( f\ [a]X f ) ift^hJ^ (15) 



t':t — it' a,t':t — >r' 



Take (f> t to be the extended formula min t {Xj ,ipr), using the simultaneous least fixed points introduced 
in Section \2.1\ □ 

Notice that we have a finite set of variables {X t } and that the conjunctions in Definition 14. 1 5 1 are finite, 
as the LTS of tests is finite state and finite branching. These two conditions are needed for <p, to be well 
defined. 

Formula <p t captures the properties required by a process to must satisfy test t. The first two clauses 
of the definition are straightforward. If t cannot make an internal action or cannot report a success, but 

a 

can perform a visible action a to evolve in t , then a process should be able to perform a transition 
and evolve in a process p' such that p' must satisfy t' . The requirement Acc({a | t— >}) is needed because 
a synchronisation between the process p and the test t is required for p must satisfy t to be true. 
In the last clause, the test t is able to perform at least a r-action. In this case there is no need for a 

a 

synchronisation between a process and the test, so there is no term of the form Acc({a \ t — >}) in the 
definition of <p t . However, it is possible that a process p will never synchronise with such test, instead t 
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will perform a transition t — -> t' after p has executed an arbitrary number of internal actions. Thus, we 
require that for each transition p => p', p' must satisfy t' . 

We now supply the formal details which lead to state that formula <f> t characterises the test t. Our 
immediate aim is to show that the two environments, denned by 

PminiXt) -l<f>tl PmustQLt) - {p I P must satisfy t) 

are identical. This is achieved in the following two propositions. 
Proposition 4.16. For all t eT it holds that p m i n (X t ) c p must (X t ). 

Proof. We just need to show that IftlPmust £ Pmust(X t ): the result follows from an application of the 
minimal fixpoint property, Theorem 12.61 (ID). The proof is earned out by performing a case analysis on t. 
We will only consider Case (fRI) . as cases (PT2l) and (PT31) are trivial and Case (031 ) is handled similarly. 
Assume p e [[ <p t Jp must . We have 

(a) pll, 

t a a 

(b) whenever p ==> p there exists an action a e Act such that t — > and p ==>, 

(c) whenever p => p' and t -^-> p' e p m ust(X t '), i.e. p' mw.s'f satisfy f. 

Conditions ((aj> and © are met since p e |[Acc({a | t—*)J and t—> for some a e Act, while ()c]) is true 
because of pel A a/ . f ^ f , M^' 1- 

To prove that p e Pmust^Xt) we have to show that every computation of p \ t is successful. To this end, 
consider an arbitrary computation of p \ t; condition © ensures that such a computation cannot have the 
finite form 

p | t->pi | t-+-~pk | t-tpk+i | f-> >p„ | f (16) 

For such a computation we have that p n => p', and there exists p" with p' -^-> p" for some action a 
and test f such that f -^-> Therefore we have a computation prefix of the form 

p | f-»-pi | t-+'--p n | f-> >p' | t->p" | 

hence the maximality of computation (fT6l ) does not hold. 

Further, condition ([aD ensures that a computation of p \ t cannot have the form 

p | t->pi | >Pk I t^p M | 

Therefore all computations of p | ? have the form 

p | t->pi \ t-> >p n | t->p \t' 

with p' rnw^f satisfy f by condition (O; then for each computation of p | ? there exist p",t" such that 

p I | ^-V I 

and f'—>. Hence, every computation from p | fis successful. □ 
Proposition 4.17. Assume the LTS of processes is branching finite. For every t eT, p mus t(Xt) £ p m in(Xt). 
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Proof. We have to show p must satisfy t implies p e |[0 f J. 

Suppose p mw.?? satisfy t; since we are assuming that the set T, as well as the set S , contains only finite 
branching tests (processes), the maximal length of a successful computation fragment \p,t\ is defined and 
finite. 

Therefore we proceed by induction on \p,t\; the main technical property used is the Fixpoint Property 
IZ6©. 

• k = 0: In this case, t — >, and hence for all p € S we have p must satisfy t. Moreover, (p t = tt, and 
hence for all p e S p e I0 f ]p m ,„, 

• > 0. There are several cases to consider, according to the structure of the test t: 

1. t , ? — ^ , ? — >: we first show that p € fAcc({a\t-^>)Jp min . 

Since p mMrf satisfy t, we have p JJ.. Consider a computation fragment of the form 

p | f /»" | f 

As p JJ., we require that all computations rooted in p" \ t will eventually contain a term of the 
form p k | t', where t' + t. Further, as t — f> , such a test should follow from a synchronisation 
between p and t. We have that then that, whenever p ==> p", there exists an action a 
such that t — > and p" ^> which combined with the constraint p JJ is equivalent to 
pe|[Acc({a|f-^)]. 

We also have to show that p e ^_[a]Xf Jp m i n - Let p — > p' . Then p must satisfy t implies 
p' must satisfy f. Moreover, we have \p',t'\ < k. By inductive hypothesis, we have that 
p' e IQf J, that is p' €p min (X t >). Then the result p € l[a]X? Jp min holds. 

ai r 

2. t —f> , t — k A similai - analysis as in the case above can be carried out. 

□ 

Combining these two propositions we get our second result. Let us say that a test t from a LTS of tests 
T = (T,Act™, — >> is finitary if the derived LTS consisting of all states in T accessible from t is finite. 
Theorem 4.18. Assuming the LTS of processes is finite branching, every finitary test t is 
mu&t-representable. 

Proof. Consider any test t. We can apply Definition 14.151 to the finite LTS of tests reachable from t to 
obtain a formula <p, which raMrf-represents test t. Notice that this formula is not contained in recHML, as 
it uses simultaneous least fixpoints. However, by Theorem 12.51 there exists a formula (p must (t) e recHML 
such that |[<*rl = E^mustWL thus t is mM^-representable. Further, since each operator used in Definition 
14. 15l to define ip t belongs to mustHML, it is ensured that (p must (t) e mustHML. □ 

As a Corollary we are able to show that mustHML is actually the largest language (up to logical 
equivalence) of mM^-testable formulae. 

Corollary 4.19. Suppose cf> is a formula in recHML which is must-testable. Then there exists some in 
mustHML which is logically equivalent to it. 

Proof. Suppose <p is must-testable. By theorem \4. 141 there exists a finite test t = t must (<p) which must- 
represents <p. Further, by theorem |4. 181 there exists a formula if/ = mus t(O £ mustHML which must-tests 
for t. Therefore 

P e l(f>J <=> p must satisfy t must (<p) ope[fl 



□ 
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5 The may case 

In this paper we simply state the corresponding theorems for may testing: 

Theorem 5.1. Suppose the LTS of processes is finite branching. Then for every (p £ mayHML, there exists 
a test t may (<p) such that, cf> may -represents the test t may (<f)). 

Theorem 5.2. Assuming the LTS of processes is finite branching, every test t is may-representable. 

Corollary 5.3. Suppose <f> is a formula in recHML which is may-testable. Then there exist some if/ in 
mayHML which is logically equivalent to it. 

Proof. Similar to that of Corollary 14. 191 □ 

Our proofs for Theorem 15.21 and Theorem 15.11 are similar in style to the corresponding results for 
must testing, namely, namely Theorem 14. 1 8 1 and Theorem 14 .141 Also , as we point out in the Conclusion, 
they can be recovered by dualising the proofs of the corresponding Theorems in IIAI99I . 

6 Conclusions 

We have investigated the relationship between properties of processes as expressed in a recursive version 
of Hennessy-Milner logic, recHML, and extensional tests as defined in IIDH84H . In particular we have 
shown that both may and must tests can be captured in the logic, and we have isolated logically complete 
sublanguages of recHML which can be captured by may testing and must testing. One consequence of 
these results is that the may and must testing preorders of MDH84I are determined by the logical properties 
in these sublanguages mayHML and mustHML respectively; however this is already a well-known result, 
HHen85L 

However these results come at the price of modifying the satisfaction relation; to satisfy a box for- 
mula a process is required to converge. One consequence of this change is that the language recHML no 
longer characterises the standard notion of weak bisimulation equivalence, as this equivalence is insen- 
sitive to divergence. But there are variations on bisimulation equivalence which do take divergence into 
account; see for example HWal881lHP80l . 

The research reported here was initiated after reading HAI99B ; there a notion of testing was used which 
is different from both may and must testing. They define s passes the test t whenever no computation from 
s 1 1 can perform the success action a>, and give a sub-language which characterises this form of testing. 
It is easy to check that s passes t if and only if, in our terminology, s may t is not true. So their notion 
of testing is dual to may testing, and therefore, not surprisingly, our results on may testing are simply 
dual versions of theirs. However we believe our results on must testing, specifically Theorem 14. 141 and 
Theorem 14. 181 are new. 

We have concentrated on properties associated essentialy with the behavioural theory based on ex- 
tensional testing. However there are a large number of other behavioural theories; see MGla93ll for an 
extensive survey, including their characterisation in terms of observational properties. 
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